MASSACHUSETTS COMPUTER STOLEN Blue Cross physicians warned of data breach - The Boston Globe:


The Boston Globe
Blue Cross physicians warned of data breach
Stolen laptop had doctors’ tax IDs
By Kay Lazar
Globe Staff / October 3, 2009

The largest health insurer in Massachusetts is warning roughly 39,000 physicians and other health care providers in the state that personal information, including Social Security numbers, may have been compromised after a laptop containing the data was stolen in August from an employee of the Blue Cross and Blue Shield Association’s national headquarters in Chicago.

The breach involves “tens of thousands’’ of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield spokesman. Thirty-nine affiliates feed information about providers into a database maintained by the association’s national headquarters.

Massachusetts doctors were not notified by letter until yesterday, because state Blue Cross-Blue Shield officials said they did not at first know what kind of data were on the stolen laptop. They said the data did not contain any information about patients or personal health records.

“It took some time to figure out what type of data was on the laptop,’’ said Tara Murray, Blue Cross and Blue Shield of Massachusetts spokeswoman. “There is no reason to be believe the data has been used to steal people’s identity, but we are just being cautious . . . to notify them and offering free credit monitoring.’’

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.

He said corrective action has been taken, but declined to elaborate.

Blue Cross-Blue Shield affiliates across the country typically feed updated personal information about health care providers weekly to the Chicago headquarters for a national database that helps patients locate a provider outside their local health plan’s service area. It is information used to build this database that was stolen.

Smokler said the data breach was perhaps the most serious for Massachusetts physicians and other providers because they typically use their Social Security number as their tax identification number. Physicians in most other states, he said, choose separate tax ID numbers.

“As soon as the breach occurred and we were made aware of it, we have been working with every single plan across the system to alert their providers who may have been impacted, and we are providing a year of free credit monitoring,’’ he said.

Dr. Alice Coombs, Massachusetts Medical Society president-elect, said in a statement last night that it is “disappointing and distressing that such information was not kept more securely, and we hope the association will take whatever steps are necessary to protect physicians’ information now and in the future.’’ The society represents roughly 22,000 physicians and medical students.

Murray, the Massachusetts Blue Cross-Blue Shield spokeswoman, said the breach has prompted the insurance company to review its security procedures, and a top priority will be to persuade state physicians and other health care providers to apply for a new tax ID number that is not the same as their Social Security number.

She also said the company will be adding more encryption coding to the information that it sends the national affiliate.

Kay Lazar can be reached at klazar@globe.com.